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REMARKS 



This Preliminary Amendment is submitted to improve the form of the English translation 
as filed. It is respectfully requested that this Preliminary Amendment be entered in the above- 
referenced application. 

In accordance with the foregoing, claims 1-10 have been canceled and claims 11-21 
have been added. Thus, claims 11-21 are pending and are under consideration. 

A substitute specification is also being filed herewith. The substitute specification is 
accompanied by a marked-up copy of the original specification. No new matter has been added. 

If there are any questions regarding these matters, such questions can be addressed by 
telephone to the undersigned. Otherwise, an early action on the merits is respectfully solicited. 

If there are any additional fees associated with filing of this Preliminary Amendment, 
please charge the same to our Deposit Account No. 19-3935. 



Respectfully submitted 



STAAS & HALSEY LLP 



Date: 





Richard A. Gollhofer 
Registration No. 31,106 



1201 New York Ave, N.W., 7th Floor 
Washington, D.C. 20005 
Telephone: (202)434-1500 
Facsimile: (202)434-1501 
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IN THE ABSTRACT: 



Please DELETE the Abstract in its entirety and substitute the attached new Abstract. 
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IN THE SPECIFICATION: 

Please REPLACE the pending specification with the substitute specification attached 

hereto. 
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AMENDMENTS TO THE DRAWINGS: 

The attached drawing includes changes to FIG. 1 to reorient text that was not printed in 
accordance with U.S. patent rules. The sheet containing FIG. 1 replaces the original sheet in 
the international application. 
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MARKED-UP SUBSTITUTE SPECffTCWf fON 



D e scr i pt i on TITLE OF THE INVENTION 

SECURITY MODULE FOR ENCRYPTING A TELEPHONE CONVERSATION 



CROSS REFERENCE TO RELATED APPLICATIONS 

[00011 This application is based on and hereby claims priority to German Application No. 
10355418.1 filed on November 27. 2003. the contents of which are hereby incorporated by 
reference. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

[0002] The invention relates to a security module for encrypting a telephone conversation 
between one or more first telecommunication terminals in a packet-oriented data network and 
one or more second telecommunication terminals in an analog and/or digital telephone network. 

2. Description of the Related Art 

[0003] Telephony in IP networks is known from the Pfiof- related art. Standards now exist in 
which the signaling for telephony in IP-networks is defined. The standards concerned here are 
the IETF Standard SIP and the ITU Standard H.323, which is also referred to as "Voice over IP" 
(VoIP) and is mainly employed in LAN or WLAN-based networks (LAN = Local Area Network, 
WLAN Wireless Local Area Network). With VoIP telephony security aspects have been mainly 
considered to date in relation to the authenticity and Integrity of control and signaling data. In 
future solutions, in addition to the pure signaling security, the security of the transferred voice 
data will also be considered. To secure voice data in IP networks for example the encrypted 
transport protocol SRTP (where SRTP = Secure Real Time Transport Protocol; see docum e nt 
144 Baugher et al.; The Secure Real-time Transport Protocol; Work in Progress; 
search.ietf.org/internetdrafts/draft-ietf-avt-srtp-09.txt) comes into consideration. 

[0004] With the current security solutions however only security of voice data in packet- 
oriented networks is guaranteed. Although security solutions also exist for telephony in public 
telephone networks, however there has not been an opportunity thus far for conducting encryp z 
ted telephone conversations from a packet-oriented network to a public telephone network. 
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SUMMARY OF THE INVENTION 



[0005] Th e ob je ct A n aspect of the invention is therefore to create a security module for 
encrypting a telephone conversation which enables encryption of the voice data in a heteroge 2 
neous network compris i ng including a packet-oriented data network and a telephone network. 
This obj e ct i s ach ie v e d by th e i nd e p e nd e nt c l aim s . D e v el opm e nts of th e i nv e nt i on ar e d e fin e d 
in th e dep e ndent c l a i ms. 

[0006] The inventive security module serves to encrypt a telephone conversation between 
one or more first telecommunication terminals in a packet-oriented data network and one or 
more second telecommunication terminals in an analog and/or digital telephone network, with 
data packets being transported by m e ans of using an encrypted transport protocol in the packet- 
oriented network and the keys for the encrypted transport protocol being exchanged by m e ans 
ef- using a key exchange protocol. A telephone network is taken below to be any type of PSTN 
(PSTN = Public Switched Telephone Network) which means that both an analog and also a 
digital telephone network can be involved. The packet-oriented network and the telephone 
network in this case are connected to each other via a gateway computer and the security 
module can be connected into a connecting line at a first or second telecommunication terminal 
for a telephone conversation. The term "connecting line" is in this case to be understood in 
general terms, which means that it can involve a wired and also a wireless connection at the 
corresponding telecommunication terminal. 

[0007] The inventive security module compris e s includes a protocol processing device which 
processes messages of the key exchange protocol as well as data packets transported by 
m e ans of using the encrypted transport protocol, if the security module is connected into a 
connecting line for a telephone conversation at a first or second telecommunication terminal. 
The task of the protocol processing device is to convert voice signals which are created at the 
corresponding telecommunication terminal into data packets for transport via the encrypted 
transport protocol and to convert incoming data packets at the security module which are 
transported via the encrypted transport protocol, into voice signals. 

[0008] The security module further features a modem connection unit which is always used if 
the security module is connected into a connection line at a second telecommunication terminal. 
In this case the modem connection unit sets up a modem connection for a telephone 
conversation between the second telecommunication terminal and the gateway and/or a further 
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second telecommunication terminal, with data packets being transported by means of using t he 
encrypted transport protocol as well as messages of the key exchange protocol over the modem 
connection. Preferably a PPP connection (PPP = Point-to-Point Protocol) runs over the modem 
connection with which the data packets of the transport protocol as well as messages of the key 
exchange protocol are transported. The modem connection unit in the security module thus 
implements a transfer of encryption technologies from packet-oriented networks into public 
telephone networks. This is possible since modem connections currently have sufficient 
bandwidth or transmission rates for transmitting real-time media data packets. 

[0009] In an especially preferred embodiment SRTP is used as the encrypted transport 
protocol (see docum e nt [11 Baugher et al.) . The key exchange protocol MIKEY (= Multimedia 
Internet KEYing) is preferably used for the exchange of the keys which are used in the 
encrypted transport protocol MIKEY is currently a draft at the IETF which will be declared a 
standard in the foreseeable future. 

[0010] In a further embodiment of the security module messages of the key exchange 
protocol are transported for a telephone conversation via the SIP (SIP = Session Initiation 
Protocol), with the protocol processing device of the security module being embodied such that 
it can process this protocol. 

[0011] The telephone network in which the inventive security module is used is for example a 
digital ISDN network. Preferably the modem connection unit in this case sets up a modem 
connection via the B channel in the ISDN network. The packet-oriented network involved is 
preferably an IP-based data network, especially a LAN network. The modem connection unit 
preferably establishes a modem connection in accordance with the V90 and/or V92 standard, 
with this standard providing a sufficient bandwidth or transmission rates for transmitting data 
packets from packet-oriented networks. 

[0012] In a variant of the invention the security module is used for telephones with a 
connecting cable between telephone and telephone handset, with the security module being 
embodied such that it can be connected into the connecting cable. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[0013] Ex e mplary These and other objects and advantages of the present invention will 
become more apparent and more readily appreciated from the following description of the 
preferred embodiment s of th e inv e nt i on ar e e xp l ain e d b el o w , taken in conjunction with r e f e r e nc e 
te4he e nc l os e d accompanying drawing . Th e draw i ngs show of 

Figure 1j_a the-schematic diagram of a heterogeneous network in which the inventive 
security module for encryption of voice signals is used. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

[0014] Reference will now be made in detail to the preferred embodiments of the present 
invention, examples of which are illustrated in the accompanying drawings, wherein like 
reference numerals refer to like elements throughout. 

[0015] The heterogeneous network shown in Figure 1 on the one hand includes an IP-based 
LAN (LAN = Local Area Network) as well as a public TDM (TDM = Time Division Multiplexing) 
telephone network. The TDM network is a digital network, with a special analog speech channel 
being used however for transmission of spoken words. The LAN and the TDM network are 
connected to each other via a gateway G. The gateway is used to modify IP data packets 
transmitted in the LAN network for forwarding in the TDM network as well as data from the TDM 
network for forwarding in the LAN network in the appropriate manner. 

[0016] There are two VoIP clients VolP-C in the LAN network which make telephony via 
packet-oriented networks possible. The SIP or H.323 standards sufficiently well-known to the 
person skilled in the art can be used when telephoning via "Voice over IP". The lower VoIP 
client in Fig. 1 is a telephone with which the intention is to set up an encrypted telephone call. 
Therefore the inventive security module is connected between the handset of the telephone and 
the actual telephone in the corresponding connecting line. 

[0017] In the TDM network of Figure 1 for example two TDM clients, TDM-C, in the form of 
telephones are shown, with which encrypted telephone conversations can also be conducted. 
Therefore in these telephones too the inventive security module SM is also connected in the 
connecting line between the handsets and the actual telephone. 

[0018] The security modules known from the pfie ^related art allow an encryption of the 
telephone call only within the TDM network, in which case each telephone caller, to set up an 
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encrypted telephone call, creates a key in each case by pressing a button on his security 
module, with the keys then being exchanged via a proprietary signaling protocol between the 
telephones of the participants. Finally combinations of numbers are shown on the displays 
which are integrated into the security modules which the callers exchange with each other over 
the telephone connection If the combinations of numbers match it can be assumed that the call 
is not being overheard by any third party so that with the aid of the exchanged keys encrypted 
data transmissions is finally undertaken, with a proprietary protocol again being used here. 
Experiments have shown that with tho conv e ntiona l known security modules no encrypted 
telephone conversations between a telephone in a packet-oriented network and a telephone in 
a TDM network can be conducted. The result is thus that in packet-oriented networks the data 
is transmitted asynchronously, which can lead to bandwidth variations (also known as jitter) 
which cannot be processed by conv e ntional known security modules. Likewise data packet 
losses arising in packet-oriented networks lead to problems with conv e nt i onal known security 
modules. 

[0019] The security module in accordance with the embodiment described here solves this 
problem by being able to process the protocols known from the IP world for encrypting data in a 
normal public TDM network. To this end a protocol processing device is provided in the security 
module which can process the encrypted transport protocol SRTP (SRTP = Secure Real Time 
Protocol). This protocol is likely to become the future standard for encrypted transmission of 
media data. In addition the protocol processing device can process the key exchange protocol 
Ml KEY. Keys are created with this protocol and exchanged between the clients or telephones in 
the heterogeneous network of Fig. 1. The keys in this case are used by the transport protocol 
SRTP for encrypted transmission of the data packets by means of SRTE. The protocol 
processing device enables facilities such as encrypted telephony between VoIP clients in the 
LAN network. This is shown in Figure 1 by the double arrows MIKEY-KM (KM stands for KEY 
Management) and SRTP-MS (MS stands for Media Security). 

[0020] To set up an encrypted telephone call between subscribers in the TDM network or 
between a subscriber in the LAN network and a subscriber in the TDM network, the security 
module SM features a modem connection unit. This modem connection unit establishes a 
modem connection for a telephone conversation of a subscriber in the TDM network to a 
subscriber in the LAN network via a voice channel in the TDM network to the gateway G. 
Preferably this involves a V92 modem connection which can transmit the data at 56 kbit/s 
downstream and 48 kbit/s upstream. Via this connection a further connection is made available 
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via the PPP (PPP = Point to Point Protocol), with data being transported via the latter in the key 
exchange protocol Ml KEY or in the SRTP protocol. Since these protocols can be processed by 
the protocol processing device in the security module SM a migration of the protocols from the 
LAN network into the TDM network is thus made possible. 

[0021] The MIKEY messages are transported in the LAN network for example via the SIP 
protocol. In the gateway the contents of the MIKEY messages can then be cut out of the SIP 
message and inserted into the PPP tunnel. It would however also be conceivable for the 
gateway to simply send the SIP messages onwards in the PPP tunnel, without cutting out the 
MIKEY messages. In such a case the protocol processing unit of the security module must be 
able to process the SIP protocol. Thus a solution is also conceivable in which the security 
module SM functions as an SIP end point. In relation to the data which is transported via the 
SRTP protocol, the gateway G only assumes a forwarding function and does not modify the 
data. This also applies to the actual key exchange data in the form of MIKEY messages. 
Where necessary the gateway can however also be included as a trustworthy component in the 
connection, in order to allow, "lawful interception" for example. 

[0022] The arrows in the lower part of Figure 1 again illustrate the inventive mechanism. The 
double arrow labeled p-IP (p-IP = plain IP) highlights the fact that a purely IP-based encrypted 
data transmission is used between a VoIP-Client VolP-C and the gateway G. By contrast a 
modem connection is used between the gateway G and a TDM client TDM-C for encrypted data 
transport via which the PPP protocol runs, with which IP data packets are again transported. 
This is indicated by the double arrow IP-PPP-TDM. Despite these different connection 
mechanisms, an end-to end encryption between a client in the LAN network and a client in the 
TDM network by m e ans of using the key exchange protocol MIKEY and of the SRTP transport 
protocol SRTP is obtained. This is highlighted by the double arrows labeled MIKEY-KM and 
SRTP-MS. 

[0023] The transmission of encryption protocols known from the IP world in a public 
telephone network is thus made possible in a simple manner with the inventive security module. 
This is guaranteed by a modem connection which, as a result of the bandwidths or transmission 
rates now possible with such a connection, makes possible the transport of real time data 
packets and signaling messages from the IP world. 
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[0024] The invention has been described in detail with particular reference to preferred 
embodiments thereof and examples, but it will be understood that variations and modifications 
can be effected within the spirit and scope of the invention covered by the claims which may 
include the phrase "at least one of A, B and C" as an alternative expression that means one or 
more of A, B and C may be used, contrary to the holding in Superouide v. DIRECTV. 358 F3d 
870, 69 USPQ2d 1865 (Fed. Cir. 2004). 
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Carrara, Naslund, Norrman; Work in Progr e ss; http://s e arch.i e tf.org/int e rn e tdrafts/draft -ie tf - 
avt srtp 09.txt 

[2] I nt e rn e t Draft: M I KEY: Mu l tim e d i a I ntornot KEYing; J. Arkko, E. Carrara, F. L i ndho l m, M. 
Nas l und, K. Norrman; Work i n Progr e ss; http:// se arch. ie tf.org/int e rn e tdrafts/draft -ie tf - ms e c - 
m i k e y - 07.txt 
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